Anxiety levels in the Aave community spiked in November 2022 as Avi Eisenberg performed an attack on Aave. Eisenberg attempted to short the CRV token by using funds borrowed on the protocol to artificially deflate the value of CRV. While the attack was ultimately unsuccessful, it left the Aave community scared and even raised question marks regarding the feasibility of large lending platforms under decentralized governance. In this work, we analyze Avi Eisenberg's actions and show how he was able to artificially lower the price of CRV by selling large quantities of borrowed CRV for stablecoins on both decentralized and centralized exchanges. Despite the failure of his attack, it still led to irretrievable debt worth more than 1.5 Mio USD at the time and, thereby, quadrupled the protocol's irretrievable debt. Furthermore, we highlight that his attack was enabled by the vast proportion of CRV available to borrow as well as Aave's lending protocol design hindering rapid intervention. We stress Eisenberg's attack exposes a predicament of large DeFi lending protocols: limit the scope or compromise on 'decentralization'.

翻译：2022年11月，Avi Eisenberg对Aave发起攻击，导致Aave社区恐慌情绪飙升。Eisenberg试图通过使用从协议中借入的资金人为压低CRV代币价值来做空CRV。尽管攻击最终未能成功，但这使Aave社区感到恐惧，甚至对去中心化治理下大型借贷平台的可行性提出了质疑。本研究分析了Avi Eisenberg的行动，揭示了他是如何通过在去中心化和中心化交易所大量抛售借入的CRV换取稳定币，从而人为压低CRV价格的。尽管攻击失败，但仍造成了当时价值超过150万美元的无法追回债务，使协议的不良债务翻了两番。此外，我们强调，其攻击之所以得逞，是因为可借出的CRV比例极高，且Aave借贷协议的设计阻碍了快速干预。我们指出，Eisenberg的攻击暴露了大型DeFi借贷协议的两难困境：要么限制规模，要么在"去中心化"上妥协。